[Bug binutils/28172] New: heap-buffer-overflow on `nm-new -a -l`

shaohua.li at inf dot ethz.ch Mon, 02 Aug 2021 13:20:50 -0700

https://sourceware.org/bugzilla/show_bug.cgi?id=28172


            Bug ID: 28172
           Summary: heap-buffer-overflow on `nm-new -a -l`
           Product: binutils
           Version: 2.38 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: binutils
          Assignee: unassigned at sourceware dot org
          Reporter: shaohua.li at inf dot ethz.ch
  Target Milestone: ---

Created attachment 13582
  --> https://sourceware.org/bugzilla/attachment.cgi?id=13582&action=edit
poc

Hi there,

I found a heap-buffer-overflow on `nm-new -a -l` with a fuzzer.

- binutils version: 2.38(Head), commit af51804103a08cd1e12edc4f4a30eec2c5c4f9e8
- Compiler: clang12
- Platform: Ubuntu 18.04.5 LTS, x86_64
- Reproduce: run `nm-new -a -l poc`

AddressSanitizer report:

==526==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6070000002bf
at pc 0x0000005030c1 bp 0x7ffd40963900 sp 0x7ffd409638f8
READ of size 1 at 0x6070000002bf thread T0
    #0 0x5030c0 in bfd_getl16 /binutils_latest/repo/bfd/libbfd.c:633:11
    #1 0xe918e9 in bfin_pcrel24_reloc
/binutils_latest/repo/bfd/elf32-bfin.c:133:9
    #2 0x154b6b7 in bfd_perform_relocation
/binutils_latest/repo/bfd/reloc.c:711:14
    #3 0x154f66f in bfd_generic_get_relocated_section_contents
/binutils_latest/repo/bfd/reloc.c:8463:10
    #4 0x4eaa6f in bfd_get_relocated_section_contents
/binutils_latest/repo/bfd/bfd.c:2166:10
    #5 0x1551708 in bfd_simple_get_relocated_section_contents
/binutils_latest/repo/bfd/simple.c:298:14
    #6 0x6a2d07 in _bfd_dwarf1_find_nearest_line
/binutils_latest/repo/bfd/dwarf1.c:523:4
    #7 0x5cfd47 in _bfd_elf_find_nearest_line
/binutils_latest/repo/bfd/elf.c:9206:7
    #8 0x4d1c99 in print_symbol /binutils_latest/repo/binutils/nm.c:1072:12
    #9 0x4ceaeb in print_symbols /binutils_latest/repo/binutils/nm.c:1152:7
    #10 0x4cd23c in display_rel_file /binutils_latest/repo/binutils/nm.c:1279:5
    #11 0x4c97dd in display_file /binutils_latest/repo/binutils/nm.c:1446:7
    #12 0x4c90db in main /binutils_latest/repo/binutils/nm.c:1965:12
    #13 0x7f5a1a0a90b2 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #14 0x41c55d in _start (/out_bin/nm-new+0x41c55d)

0x6070000002bf is located 1 bytes to the left of 66-byte region
[0x6070000002c0,0x607000000302)
allocated by thread T0 here:
    #0 0x49741d in malloc (/out_bin/nm-new+0x49741d)
    #1 0x502ac2 in bfd_malloc /binutils_latest/repo/bfd/libbfd.c:289:9
    #2 0x15512fe in bfd_simple_get_relocated_section_contents
/binutils_latest/repo/bfd/simple.c:265:27
    #3 0x6a2d07 in _bfd_dwarf1_find_nearest_line
/binutils_latest/repo/bfd/dwarf1.c:523:4
    #4 0x5cfd47 in _bfd_elf_find_nearest_line
/binutils_latest/repo/bfd/elf.c:9206:7
    #5 0x4d1c99 in print_symbol /binutils_latest/repo/binutils/nm.c:1072:12
    #6 0x4ceaeb in print_symbols /binutils_latest/repo/binutils/nm.c:1152:7
    #7 0x4cd23c in display_rel_file /binutils_latest/repo/binutils/nm.c:1279:5
    #8 0x4c97dd in display_file /binutils_latest/repo/binutils/nm.c:1446:7
    #9 0x4c90db in main /binutils_latest/repo/binutils/nm.c:1965:12
    #10 0x7f5a1a0a90b2 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: heap-buffer-overflow
/binutils_latest/repo/bfd/libbfd.c:633:11 in bfd_getl16
Shadow bytes around the buggy address:
  0x0c0e7fff8000: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c0e7fff8010: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c0e7fff8020: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fd fd
  0x0c0e7fff8030: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
  0x0c0e7fff8040: fd fd fd fd fd fa fa fa fa fa 00 00 00 00 00 00
=>0x0c0e7fff8050: 00 00 00 fa fa fa fa[fa]00 00 00 00 00 00 00 00
  0x0c0e7fff8060: 02 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==526==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug binutils/28172] New: heap-buffer-overflow on `nm-new -a -l`

Reply via email to